In his blog, IIA President and CEO Richard Chambers shares his personal reflections and insights on the internal audit profession.
It's Hard for Internal Auditors to "Follow the Risks" When There Is No Consensus
One of the persistent challenges internal auditors face is finding alignment with stakeholders on the risks that most threaten their organizations. For many years, I have written about the importance of building relationships with those we work for and with to nurture communications that support alignment. Indeed, the most common advice I’ve offered to chief audit executives (CAEs) over the years is “know what is keeping our stakeholders up at night” and “follow the risks.”
A recently published report from Protiviti and the North Carolina State University ERM Initiative helps shed light on that alignment (or misalignment). Executive Perspectives on Top Risks: Key Issues Being Discussed in the Boardroom and C-suite (PDF) examines risks facing organizations in 2021 and beyond as seen by a wide variety of respondents, from board members to every position that makes up the C-suite, including CAEs.
Two key takeaways from the report offer a good news/bad news scenario. First the good news: There is encouraging uniformity across the respondent mix about the No. 1 risk facing organizations in 2021 — the impact of COVID-19-related policies and regulations on business performance. The bad news: That’s where the consensus ends. While this is not ideal from an ERM perspective, it is useful in building awareness of the critical need for alignment.
For example, the second-highest-rated risk as identified by CAEs — managing cyber threats — does not show up in any of the top five risks for CEOs, chief financial officers (CFOs), or chief risk officers (CROs). That is not to say cyber doesn’t continue to be a top risk, coming in at sixth overall. However, it is significant that, among C-suite respondents, only CAEs view it among the top five risks in 2021.
CAEs’ focus on cybersecurity also is reflected in the upcoming 2021 North American Pulse of Internal Audit report. Cybersecurity, in fact, has ranked as the highest-rated risk among Pulse respondents every year from 2016 through 2020. It is important to note that the survey for this year’s Pulse report was conducted in October/November, reflecting the significant influence of the pandemic on CAEs’ overall risk assessments. Yet, the Pulse data also shows that cybersecurity as a percentage of audit plan allocation remains a lower priority, ranging from 6% to 8% over the same five-year period.
So, what are the more significant risks on the minds of our stakeholders? Two additional risks made the top five for boards, CEOs, and CFOs in the Protiviti/NC State report: Economic conditions in markets may significantly restrict growth opportunities, and market conditions imposed by the pandemic may impact customer demand for products and services.